Posted on October 26, 2022 at 4:08 AM

Chrome Extensions With Over 1 Million Installs Hijack Targeted Browsers

A new malvertising campaign has been discovered hijacking targeted browsers and inserting affiliate links into web pages.  Analysts at Guardio Labs have called the campaign “Dormant Colors” since all the extensions have color customization options that enter the victim’s system with no malicious code to stay hidden.

The Guardio report also revealed that 30 variants of the browser extensions were available by mid-October 2022. They were seen on both the Edge and Chrome web stores, with more than 1 million installs. The malvertising campaign starts with redirects or advertisements when a user visits a website that offers video downloads.

But when the user tries to watch the video or download a program, they are redirected to another webpage that advises the user to install an extension to continue.

Once the user accepts and clicks on the “Continue” button, they are asked to install the color-changing extension. But when the user installs the extensions, they are redirected to various pages that side-load malicious scripts. These scripts command the extension on how to carry out search hijacking and which sites to plant the affiliate links.

The Guardio report also noted that the first malware forms elements on the page while it tries desperately to conceal the JavaScript API calls.

To complete its tasks, it assigns a new URL to the location object which redirects the user to the ads that finalize the flow of deceit.

The Operators Use The Malertisers To Generate Ad Revenue

The extension also redirects search queries to send results back from sites affiliated with the extension developer. The researchers say this is the case when the threat actors want to carry out search hijacking. This action generates income from the sales of search data and ad impressions.

But Dormant Colors act more desperate than this. It can hijack the victim’s browsing on an extensive list of 10,000 websites by redirecting the user to the same page but a different affiliate link to the URL.

After appending the tags to the URL, whenever the user purchases the site, it will automatically generate a commission for the developers. The security analysts have also shared videos that demonstrate the hijacking component of the malware developers.

As a result, the researchers have warned that the operators of Dormant Colors can cause more havoc than hijacking affiliations when they use the same stealthy malicious code side-loading method.

The Malware Operators Can Carry Out Stealthier Campaigns

Guardio also stated that the operators can send targets to phishing pages to steal credentials for bank sites, Google Workspace, Microsoft 365, or social media platforms.

Although there is no evidence that the campaigns are carrying out more damaging malicious behavior, the analysts stated that the operators can enable it by side-loading additional scripts.

The extensions mentioned in the IoC section of the report are no longer available or have been taken offline. However, the researchers noted that the operators can renew the extensions with add-on names and domains.

The researchers have warned that users need to be careful when they are adding or installing new apps to their smartphones.

The extensions themselves do not include malicious codes when they seek entry through Google’s security check to the Chrome Web Store. But after scaling through this process, they eventually unleash their mayhem and steal ad revenue.

The researchers have advised that users who have installed some of the affected extensions may need to manually remove them from their devices. Although they have been deleted from the Chrome Web Store, users who have already installed them on their devices are still at risk.

Guardio has also provided more explanation regarding its findings on the malicious extension campaign. The researchers warned that although the campaign has been exposed, it’s still up and running, generating new extensions, re-inventing more colors, and shifting domains. Additionally, the developers of the malicious extension seem to have a long-term plan for their attack. They have developed a highly-evasive technique to circumvent security protocols.

Guardio has advised users who want to add new extensions to their browsers to ensure that they have the best security protection or anti-virus software installed on their devices.

Users have also been advised to only use trusted sources like Microsoft Edge-Add-ons or Chrome Web Store to install new extensions. Although some bad extensions could still find their way into legitimate browser stores, it’s still safer to install browsers from official sites than from the web.